Thursday, December 5, 2013

I search configs a lot via the CLI. This saves time and sometimes downloading a config and searching it in Notepad++ is not an option.
When looking for particular pieces of a config you can use the UNIX style "grep" command to filter output, for example:

# show | grep 192.168.1.99 set ip 192.168.1.99 255.255.255.0

Great. Now we know that there is a line that contains the IP address. But where in the config is it? In FortiOS 5.0 the "FortiOS context" switch was introduced which helps in tracking this down.

Notice that when using the -f switch the firewall shows the entire "context" that the string is used in. Also there's a handy little arrow on the right which points out where in the context the string exists.

Monday, September 30, 2013

From time to time I need to setup lab devices to troubleshoot particular scenarios. Since it is pretty impractical to have "one of each" I use a lot of virtualization technology for this. Here are some handy pointers if you have ever wanted to setup your own lab to test things out.

These and an increasing number of other Fortinet products are available in a VMware version. Head on over to the support site, look for the firmware images section and get yourself a copy. They are valid for 14 days as an evaluation version. Note that FortiOS is limited to a single VDOM when in eval mode.

To make things more realistic I tend to throw a router in between two firewalls. Vyatta has a free version of their routing software available which runs nicely inside the ESXi hypervisor. Their CLI is very JunOS like. So if you're already familiar with Juniper gear that helps immensely. It's significantly different from Cisco's IOS but well worth jumping into.

Thursday, September 12, 2013

Ever found yourself editing a config via the command line and you just noticed that you made a mistake? Wouldn't it be nice to not have to change everything back to the way it was before you commit with "next" or "end"? Simply use the "abort" command and it will kick you straight back to the main menu without making any changes.

Friday, September 6, 2013

FortiAP wireless access points have the ability to create a full mesh. This is a pretty nifty feature as described in the FortiOS Wireless Deployment Guide:

The access points of a WiFi network are usually connected to the WiFi controller through Ethernet wiring. A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical.

The AP that is connected to the network by Ethernet is called the Mesh Root node. It is configured with an SSID (also called a virtual access point or VAP) dedicated to backhaul communication with the remote FortiAP units. The backhaul SSID carries CAPWAP discovery, configuration, and other communications that would usually be carried on an Ethernet connection. Regular WiFi clients cannot connect to the backhaul SSID. They connect to the regular SSIDs carried on the access points.The root node can be a FortiAP unit or the built-in AP of a FortiWiFi unit. APs that serve only regular WiFi clients are called Leaf nodes. Leaf APs that also carry the mesh SSID for more distant Leaf nodes are called Leaf/branch nodes.

In other words you can have the APs all wirelessly connected to each other and APs that are not wired into the network can backhaul their traffic via other APs. The requirement is that at least one of the APs in the chain is hard-wired to the network.

A small gotcha is that by default the wireless mesh uses its own internal IP addressing scheme. The default IP address for the full-mesh interface is 192.168.3.99/24. I found this out the hard way because I have a VPN tunnel to a remote network which also uses 192.168.3.x/24. Looking at the routing table it was easy to see why I could no longer reach the remote VPN network after I had setup my new wireless access points.

There are two routes available in the routing database to 192.168.3.0/24, the ">" in front of the route shows which one has been selected as the active route. Simply changing the network of the mesh interface to something like 192.168.254.99/24 will resolve the issue. This can be done in the GUI via "System -> Network -> Interfaces"

Thursday, February 28, 2013

FortiOS 5.0 brings with it an enhancement to how single sign-on can be performed in a Microsoft Active Directory environment.

In prior versions of FortiOS an agent software was needed on either a Domain Controller or a Member Server. There was a lot of push back since many IT admins were not comfortable running third-party software on their critical AD servers. FortiOS 5.0 allows the firewalls to directly query the AD global catalog and event logs, the agents are now optional.

When a Windows AD user logs on at a workstation in a monitored domain, the FortiGate unit:

detects the logon event in the domain controller’s event log and records the workstation name, domain, and user

resolves the workstation name to an IP address

uses the domain controller’s LDAP server to determine which groups the user belongs to

creates one or more log entries on the FortiGate unit for this logon event as appropriate

When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. The selection consists of matching the FSSO group or groups the user belongs to with the security policy or policies that match that group. If the user belongs to one of the permitted user groups associated with that policy, the connection is allowed. Otherwise the connection is denied.